Welcome to the new Becker-Posner Blog, maintained by the University of Chicago Law School.

09/17/2006

Deterring Identity Theft--Posner

"Identity theft" (or identity fraud) refers to fraud effectuated by stealing personal identifying data, such as a credit card number or a social security number, often by means of computer hacking or by emails in which the sender impersonates an individual, firm, or agency that has a legitimate need for the identifying data. Identity theft has become extremely common and is estimated to be defrauding Americans of a total of more than $50 billion a year. This is an understatement of the social costs of identity theft because victims often must spend hundreds of hours restoring their credit. Maximum punishments are severe, but the garden-variety identity theft is not heavily punished relative to potential gains. For example, an identity thief who steals $1 million and has no previous criminal record is (if prosecuted for violating federal fraud law) likely to receive a prison sentence of less than five years, except that as a result of the recently enacted Identity Theft Penalty Enhancement Act another two years will be tacked on.
The economic theory of punishment teaches that, at least as a first approximation, the expected cost of the fine or other punishment for crime should just exceed the expected gain to the criminal from committing the crime, in order to make it worthless to him. If we are not completely confident about what the gain from the crime is likely to be (or if we think some crimes, like breaking into an unoccupied vacation house in a snowstorm, should not be deterred, we may want to base the sentence on the victim's loss instead of the perpetrator's gain. In the usual case of identity theft, the loss to the victim will exceed the gain to the thief, because the time costs to the victim are not recouped in any form by the thief. Oddly to a noneconomist, those costs, together with the costs of efforts by potential victims of identity theft to avoid becoming actual victims and the costs incurred by the identity thieves themselves to accomplish their thefts, are the real social costs of identity theft. The mere transfer of wealth from victim to thief does not reduce the social product, but merely rearranges it.
The word "expected" which I used in the preceding paragraph is intended to distinguish between a certain value and a probabilistic one. The expected value of a 100 percent probability of incurring a cost of $100 is $100, but so is the expected value of a 1 percent probability of incurring a cost of $10,000 ($100 = .01 X $10,000). If the probability of apprehending and punishing an identity thief is very low, the punishment will have to be jacked up very high in order to deter. Suppose an identity thief who sends out 100,000 "phishing" emails (impersonating persons or firms who would have a legitimate need for access to the recipient's personal identifying information) anticipates a $10,000 profit. If the probability that he will be caught and punished for his fraud is 1 percent, then a fine slightly in excess of $1 million would be necessary to deter him. Probably he could not pay such a fine, and so a prison sentence would have to be substituted, designed to impose the equivalent disutility on him.
My guess is that very few identity thiefs are caught, and also that many of them make a lot more than $10,000 per fraud, given such techniques as phishing that enable a fraudulent solicitation to be disseminated essentially without cost to an immense number of potential victims; if even a minute percentage of the recipients are hooked, the identity thief can make a killing. If this analysis is correct, the optimal punishment for identity theft is extremely heavy; it might well be life in prison.
Any proposal for punishment that strict would encounter a variety of objections--all superficial. The first is that punishment should be proportional to the gravity of the crime, in the sense of the cost that the crime imposes on the victim. By this criterion, bank robbery is a more serious crime than identity theft (and in fact is punished much more severely) because it frightens and sometimes endangers the bank's employees (only sometimes, because most bank robberies nowadays are "robbery by note"--the robber gives the teller a note saying that he is armed, but he isn't). But bank robbery is actually a sucker's crime; almost all bank robbers are caught because of a combination of surveillance cameras and the money packs that tellers are instructed to give robbers, which explode after a few minutes, covering the robber with indelible ink. Moreover, it is only because crimes that create a risk of physical injury are treated as categorically more serious than white-collar crimes that bank robbery is deemed a more serious offense than identity theft. Probably identity theft is a greater social problem (the average bank robbe's take per robbery is only $7,000), and, even if it is not, almost certainly it should be punished more severely because the probability of apprehension and punishment is much lower than in the case of bank robbery.
Nor would we have to worry, as we do with many crimes, that making the punishment for a particular crime very severe may increase the incidence of a more severe crime--may in other words impair "marginal deterrence." That is the policy of imposing heavier punishments for more serious crimes not because the punishment must fit the crime in a retributive (eye for an eye) sense, but in order to deter the substitution of more serious crimes for less serious ones. Were robbery punished as heavily as murder, robbers would have a greater incentive to murder their victims because that would reduce the probability of punishment (by eliminating witnesses) without increasing its severity. It is difficult to imagining identity thieves substituting more serious crimes for identity theft.
A further argument against severe punishment is that identity theft is easily prevented by potential victims, and it is less costly to society for them to take their own precautions than for the taxpayer to pay for more prisons. There are two fallacies here. The first is the assumption that increasing the length of prison sentences increases the number of prisoners. That depends on the responsiveness of potential criminals to a higher expected cost of punishment. If it is high, then an increase in punishment may reduce the number of prisoners by increasing deterrence by a greater percentage than the added length of the sentence. (Below I argue that it is likely to be high in the case of identity theft.)
The second fallacy is to disregard the heavy aggregate costs of self-protection against identity theft. Everyone who has a credit card or social security number or other personal identifying information (which is to say everyone), and in addition has some financial resources, is a potential victim of identity theft. Among this large group of people, all who are cautious will take some steps to prevent identity theft, as will the custodians of their personal identifying information. These costs, which would be avoided if identity theft could be stamped out, must be compared with the costs of increasing the punishment of identity thieves. Those costs might be slight if the threat of heavier punishment had such a strong deterrent effect that the threat had rarely to be carried out.
A reason to expect a more than average responsiveness of crime to punishment in the case of identity theft is that identity thieves tend to be educated people, or at least to have pretty good technical skills. Educated people tend to have low discount rates because education entails deferral of earning. And people with low discount rates are more responsive to increased prison terms, which involve adding years at the end of the existing term. A person with a very high discount rate might not be deterred when his expected sentence for committing some crime increased from 20 years to 25 years, but a person with a low discount rate might consider that extra five years a significant present cost (that is, after discounting to present value--the lower the discount rate, the higher the present value of a future stream of costs or earnings). Moreover, an educated person is likely to have superior legitimate alternatives to crime than an uneducated person; and the closer a substitute a legitimate earning opportunity is for earnings for crime, the less the expected earnings from crime need be reduced by increased punishment in order to induce the substitution. This is the other side of my earlier point about marginal deterrence.

Not necessarily. It's important to consider that the amount stolen probably [though I haven't seen data] affects the probability of being caught. Someone who steals $50,000 is more likely to be caught than someone who steals $5,000, simply because the victim and the police are more likely to notice such an incident [much ID theft goes undetected for a while] and also more likely to vigorously pursue perpetrators of bigger crimes. Thus, increasing punishments [while keeping probability of apprehension the same] would not affect the amount stolen. Rational thieves already steal the maximum amount they can get away with; increasing punishment if caught does not affect that calculation. Increased punishment merely raises the expected costs of the activity, and the activity would be undertaken in fewer instances.

One argument here is that bank robbers get caught all the time, and for mere pittances. But everybody knows that bank robbery carries severe penalties. And people still rob banks all the time. So what happened to deterrence? I would expect you to be advocating a reduction in sentences for bank robbery, if they're over-deterred. Maybe there are other factors than expected marginal deterrence at play in making these decisions? Like the *real* factors? :-)

Another argument is that everybody would save a lot of money if identity theft could be "stamped out." First, can you name a single common crime in the history that's been "stamped out"? It's absurd on its face. Second, none of the costs currently expended for computer security are expended solely as a result of the fear of identity theft (or if they are, you'd have to argue and prove it). There are plenty of concurrent reasons for self-protection in that area, and no good reason to suppose aggregate costs would go down, at least not from what you've presented. So that argument is weak, too.

Well, the main point about the economic theory of punishment is that an improvement in any of the variables that go into the expected value (expected benefits minus expected detriments) equation will lead to some change in a potential criminal's decisions and behavior. The predicted penalty, either fine or jail-time, is only one of those variables. Some of the other factors are the cost of an attempt, the likelihood of success, the average take, the likelihood of getting caught, and the likelihood of getting punished if caught.

Increasing the penalty alone will undoubtedly produce some additional deterrent effect - but I personally believe it will be at a much higher cost to benefit than modifying the other variables. This is especially true since a large amount of this activity is conducted from abroad where punishment may be near impossible. But certainly it should be used as one of the weapons in our arsenal against a problem of growing social significance.

On the other hand - there are strategies that cost very little which can have significant effect on the expected value equation. For example, users cannot operate a Google mail account without having done a mobile phone text-message confirmation. Nefarious activity conducted from gmail accounts is therefore quickly linked by law enforcement to the personal information (and perhaps even the present location) of the mobile phone account holder. Increasing the probability of getting caught has significantly diminished all sorts of nasty email activity, including ID-Theft from gmail accounts to an incomparably small level in relation to the more anonymous yahoo and hotmail services. Most of these frauds dont even try to use gmail - which is exactly what we want to happen. The social cost of not having truly anonymous (and therefore easily fraudulent) email, or of people not trusting the anonymous emails they receive, is likely very slight.

Another cheap and easy way to deter ID-Theft is to change the nature of the crime. I recently received a call via some 1-800 number that was clearly a "you've won a prize, just call use with your personal info..." scam. After spending a while trying to figure out who to report such things to - I was to told to contact the FBI. I called the FBI and was told (1) It's a number from Canada and we can't do anything about it, and (2) Even if it was in the US, if you haven't actually lost any money, there hasn't been a crime to investigate and we also can't do anything.

Disappointing to say the least. I don't know if this is still the law so maybe it's already been resolved, but if even an unsuccessful attempt to defraud is criminalized, the calculus changes as well - like it does with the crime of attempted murder. Instead of a million attempts with fifty successes, fifty investigations, and one successful prosecution - the investigation of all attempts will add another layer of deterrence.

Specifically, I am thinking of those novices just getting started in the email/ID fraud game. Like anything, it takes time and many failed attempts to become skilled in the art of these crimes - to learn what words work to scam people, how to avoid getting caught, etc... If the learning curve itself is prosecutable (when one isn't making money and there is also a higher chance of making a mistake and getting caught) the incentives are very much against a novice to even begin his dirty career.

And of course - there are other advantages to improved security and legal measures vs punishment because they hurt other criminals who also exploit the public anonymity that email can permit. For example, the gmail confirmation technique could also be effective for law enforcement and national security efforts against drug cartels or terrorist cells who use email to communicate. Harsh punishments will make thieves think twice, but a good change at getting caught for even trying will push them out of the game.

A basic issue that I ahve with Prof. Becker's argument is that it appears to assume a linear (or at least monotonically increasing) deterrence function. In other words given a crime payoff of X and a probability of getting caught Y and a punishment of value Z we need to impose a penalty Y*Z=>X to optimally deter crime. (We could make the function more complex but the basic idea would be the same). This works nicely with a number of crimes. However, I am skeptical that this realtionship would hold for white-collar crime. The basic reason is that most white collar professionals have an intense fear of prison. In other wrods X must be enormous to even risk a small chance of a small prison term (at least for most professionals). In other wrods, I would suspect there is something almost like a jump discontinuity (which of course makes modelling much more difficult). For example does anyone really think that if Jeff Skilling knew he faced a sentence of 60 years rather than 30 he would have acted honestly. Once he'd decided to risk prison additional years in prison would be fairly de minimis (i.e. the marginal deterrence once you get past the jump discontinuity is fairly elastic).

I will admit that all of this is impressionistic and I ahve not researched the literature to see if others have suggested this (or even better tested it empriically). HOwever, from my own experience this seems right. Setting aside all issues of morality, I have difficulty imagining any amount of money for which I would risk more than a few weeks in prison. Given this would even a life sentence act as an optimal deterrent for identity thieves?

I work as a collection attorney and would like to note that with most fraud accounts that I have encountered the credit card information, banking, or social security information was obtained and misused by a relative, friend or acquaintance of the victim, usually by physical access to the victim's vital information, mail or personal documents.

Of course, most obviously fraudulent accounts never reach the stage of being sent to an attorney; but it seems to me that much identity theft is not the work of professional thieves but is rather opportunistic and involves relatively small amounts of money.

I would be interested to know what percentage of identity theft losses are the work of professional identity thieves using technically sophisticated methods and what percentage of losses can be attributed to amateurs.

Should the term identity theft perhaps be limited to the professional thief using computer hacking, e-mail or like means to defraud numerous people? It seems to me that the justification for imposing very severe penalties may be limited to the case of a fraudulent scheme to obtain and use the personal information of many persons, and that the mere fact that credit has been fraudulently obtained by using another's personal information is not sufficient to distinguish the harm to be prevented from more the more usual sort of fraud and larceny.

But perhaps identity theft rings could be set up similarly to drug dealing operations, in which foot soldiers (to use the Levitt and Dubner's term from Freakonoics) assume most of the risk of the very high penalties - and then some higher up still reaps the rewards? In that case, higher deterrance penalties may not help.

There is an interesting argument (made by Ross Anderson, head of the computer security research dept at Cambridge University) that the name 'identity theft' is part of a general movement by banks to shift the cost of fraud against banks to their customers.

From their blog:
'Identity fraud is not fraud, from the consumer‚Äôs viewpoint. If someone pretends to be me, borrows 10K from the Derbyshire Building Society and vanishes, it‚Äôs the building society that‚Äôs the victim, not me. If Experian then says I‚Äôm a loan defaulter when I‚Äôm not, that‚Äôs libel. Suing for libel may be expensive, but the Information Commissioner has announced his willingness to issue enforcement notices against the credit agencies in such circumstances. [...]

‚ÄúIdentity fraud‚Äù is an objectionable concept, an attempt by the banks to dump some liability.'

The website you looked at does indeed correctly state US law. I'm a commercial lawyer, and I've had clients who were "identity theft" victims. In this case, the thieves only used publicly available information about the company, and, essentially impersonated it. They were able to induce a *lot* of vendors to ship product to the thief by relying on "fuzziness" in business credit checking.

For example, if Company is located at 1234 West Apple Street, Thief can rent 2134 West Apple Street, have product shipped there, and the vendor will assume that the discrepency in the address is due to a data entry error. In other words, the problem is that many businesses which extend credit are *very* careless about verifying the identity of their borrowers. Recently, banks started requiring people opening accounts for corporations, LLCs, etc. to *prove* their corporate identity. Only problem is that the *proof* required will be given by the government to anybody who asks for it, so this fails, too.

I also found that police agencies were uninterested. I instructed my client to maintain absolutely that *it* was not the victim, because it had not lost any money and was not going to lose any money (and was in no event going to pay). The victims were the gullible vendors. As a result of this stance, every police agency I talked to declined to do anything, because no victim had complained.

I discovered that many large businesses which had been defrauded by professional identity theft spent little or no effort to discover or prosecute the thief, and instead focused in trying to browbeat the innocent party into making good their loss. The correct response is to tell them to get lost. I suspect that much of the reason for this focus is the fact, noted above, than many identity thiefs have a relationship with the "victim," and in many cases the

PS. In the US credit libel is essentially privileged by federal law. The Fair Debt Collection Practices Act requires debt collectors to write a lot of long notices, and to have a "protest" procedure, but most such procedures are basically ineffective for correcting errors. The FDCPA preempts state libel law. It's a messed up area of law.

The costs (from the thief's perspective) relating to upfront cost of performing the crime are quite insignificant in comparison to more traditional crimes. A bank thief would have to invest in arms, conveyance and so on. So the impact of costs associated with the expected value of punishment would be based on perceived probability of being caught. This would only increase if security and technology measures as well as identity and access management by banks and such parties are bolstered. Heavier punishment would do nothing to create an incentive for this. Hence, it would be necessary for the inflicted institution (banks etc. -- who have the capability to put up systems to prevent and detect the identity thefts) to bear the impact of the fraud, which currently are largely borne by the impersonated.

Theft is theft and in most legal systems is a crime. Whereas "fraud" is a vehicle used to facilitate a theft. So what's the difference? In reality, identity fraud or theft is just the same old crime, perpetrated with the new technology of the information age. One thing that has not changed and will not change is the concept of "mens rea" or the guilty mind or criminal intent of the perpetrator of identity fraud or theft.

As with any crime in a legal system, a punishment must be established for justice to exist in society (this is as far as I'm going to go in establishing a jurisprudence for the modern age, many others have it done it before me). As for punishment, I've always been of the mind that the punishment ought to fit the crime otherwise there is no justice. So what are the elements that should make up a punishment. As a preliminary, I can think of three; deterence, retribution and reformation. Economic analysis and application of economic punishment can provide for deterence, retribution or reformation. So can incarceration and god forbid, corporal and capital punishment. As to which is most effective, it all depends on the culture and the psychological makeup of the perpetrator with the mens rea.

Another cost of increasing the severity of penalties for identity theft (and most other crimes) is that doing so may increase the expected cost of false convictions. These expected error costs are the result of at least three factors.
(1) Convicting an innocent party results in a misallocation of resources (e.g., a skillful programmer spends time making license plates.)
(2) The concern about false convictions leads individuals to avoid engaging in economically efficient activities or expend additional resources to avoid being charged with identity theft (e.g., a lender with a fool-proof security system stops asking for Social Security numbers on loan applications out of fear that it might be accused of being the source of some leak.)
(3) The resources that innocent people devote to establishing their innocence goes up. (This is a more subtle part of the story since as penalties go up, the proportion of false convictions go down as more resources are devoted to the judicial process. That is, as the cost of a false conviction goes up, the probability of false conviction may go down by an amount sufficient to reduce the expected cost error.)

I‚Äôm not sure how this would all work out for the problem of identity theft, but an earlier comment suggested that much ‚Äúidentity theft‚Äù involves acquaintances. This tells me that intent matters (a case might, for example, turn on the question of whether a woman actually give her ex-husband permission to use a credit card.) Such cases make for great day-time TV but in the real world are messy and prone to error.

Identity Theft should be punished by death. Original Sin was occassioned by the identify theft by Satan of the lowly serpent. It could therefore be fairly characterized as the Original Crime. Yet I see no Biblical exigesis in your discussion of this Holy violation of His Will. Your comments are simply insufficiently Godly, sir! Good day to you.

Could this be one of those situations where any potential deterrent effect of increased punishment would be counteracted by the responsive increase in the effectiveness of the criminals' efforts to elude detection and capture?

Should we increase the penalties for identity fraud crimes? The current penalties seem mild when compared to the economic impact of such crimes.

Perhaps not: Most of these criminals steal the identities of friends, relatives, employers etc and are probably easily caught and punished. (Except that the sums are so small that the criminal justice system doesn‚Äôt want to get involved in these often messy cases.) The punishment needed to deter these criminals may be mild (if evenly enforced). These are crimes of opportunity and the criminals are unlikely to target society in general.

I‚Äôm not sure how big a problem ‚Äúphishing‚Äù crimes are. $50 billion is about $200 per person per year in the United States. I image that shoplifting dwarfs this number. As does political corruption, Medicaid fraud, and the damage caused by speeders, not to mention drunk drivers.

Still the potential for identity crimes to escalate, in frequency and amount, is a concern. But much of the current growth seems to be based in foreign countries, away from the reach of American courts. Increased surveillance of large currency transfers could make the criminals easier to track but depending on the home country that may not lead to increased apprehension.

That means that we may need to pass laws that make it easier to track the criminals. I will let the ACLU argue this with Judge Posner. I.E. We may not need to increase the penalties if we can increase the likelihood of being caught.

We could and should increase the penalties for crimes against certain groups (the elderly), above certain dollar levels, or that involve international transfers.